A network firewall commonly serves as a primary line of defense against external threats to an organization's computer systems, networks and critical information. A firewall may serve as a network gateway that applies a security policy to filter traffic between a network under private administrative control, such as a corporate Intranet, and public network, such as the Internet. A firewall also can be used to partition networks and to partition or to interconnect virtual private networks (VPNs). A firewall may be used within a network to impose communications policies between sub-networks or machines within a network. A firewall may define different policies to govern communications between different networks, sub-networks or machines.
Information is ordinarily transmitted within networks in packets, and the term packet refers to a unit of data communicated within a network. A packet typically includes a packet source identifier and a packet destination identifier used to navigate the packet data through a network. The term packet may refer to a unit of data through a network. The term packet may refer to a unit of data communicated at any level of the open source interconnection (OSI) protocol stack and between levels of the OSI stack.
A firewall inspects and filters packets at an interface between networks and passes or blocks packets based upon user-defined criteria. The filtering involves a decision making process that includes checking contents of packets entering or leaving an associated network and passing or denying passage of packets through the firewall depending upon whether the packets comply with the predefined access rules.
A security administrator ordinarily configures firewall rules within a file. The firewall rules instruct a firewall engine as to which packets to pass and which to block. A typical firewall rule identifies a packet source, a packet destination, service group (e.g., port number and protocol) and an appropriate action, such as to pass or drop a packet or report the packet. A firewall may have several network interfaces. The firewall intercepts and inspects packets that enter any of its network interfaces to identify matches between the packet contents and the security rules the firewall has been configured to enforce.
The following is an example firewall rule: Source—ANY, Destination—192.148.120.12, Port—80. Protocol—transmission control protocol (TCP), Action—Accept, where server to which port 80 hyper text transmission protocol (HTTP) traffic is to be allowed; and ANY signifies all devices on the network (i.e., all addresses on the network).
The above firewall rule identifies a specific destination machine Internet Protocol (IP) address as condition for application of the rule, and indicates that any source machines address suffices to meet another condition for the application of the above firewall rule. Thus, the above firewall rule is an example firewall rule that includes a pair of machine identifier dependent conditions.
One challenge with defining firewall rules in terms of source and destination addresses is the need for an administrator to continually update firewall rules to keep abreast of changes in network configuration. Machines may be added or removed from a network, and machines' IP addresses can change from time to time, requiring corresponding changes to firewall rules.
Further, in complex networks in which changes are many and frequent, the need to update firewall rules to keep pace with changes to the network configuration, such as user configured firewall rules, network interface controller (NIC) assigned IP addresses in IP address management (IPAM) table, network address translation (NAT) addresses in NAT table, virtual machine (VM) inventory objects and the like can pose a significant challenge. This is even more a challenge in a virtual network environment where firewalls cannot be configured when the virtual machines (VMs) are not powered on because typically firewall rules cannot be configured if the VMs do not exist.